Microsoft warns for new malware attacks with Office documents

Microsoft warns of increase in Adnel and Tarbir Trojan attacks on Excel and Word users

Microsoft has warned its Microsoft Office users of significant rise in malware attacks through macros in Excel and Word programs. In a report published on its blog, Microsoft says that there is more than a threefold jump in the malware campaigns spreading two different Trojan downloaders. These Trojan downloaders arrive in emails masquerading as orders or invoices.

The malwares are being spread through spam emails containing following subject lines accordingly to Microsoft

ACH Transaction Report

DOC-file for report is ready

Invoice as requested

Invoice – P97291

Order – Y24383

Payment Details

Remittance Advice from Engineering Solutions Ltd

Your Automated Clearing House Transaction Has Been Put On

And the attachment containing Adnel and Tarbir campaigns is usually named as following :

20140918_122519.doc

813536MY.xls

ACH Transfer 0084.doc

Automated Clearing House transfer 4995.doc

BAC474047MZ.xls

BILLING DETAILS 4905.doc

CAR014 151239.doc

ID_2542Z.xls

Fuel bill.doc

ORDER DETAILS 9650.doc

Payment Advice 593016.doc

SHIPPING DETAILS 1181.doc

SHIP INVOICE 1677.doc

SHIPPING NO.doc

Microsoft Technet blog says that the two Trojan downloaders, TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir are being spread at a rapid pace through spam emails and phishing campaigns. Worryingly they are targeting both home PC users and enterprise customers and most of the victims are based in United States and United Kingdom.

As Microsoft has decided to block execution of Macros in Office by default, the trojan authors/handlers add a notification to the document stating the contents of the documents can only be viewed with macros enabled. Upon opening the malware laden Word document or Excel sheet, the victim receives a default security warning stating macros have been disabled but some users simply disregard this message and enable the macros thus allowing the trojan downloaders to infect their PCs.

“The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button”, according to Alden Pornasdoro of the Microsoft Malware Protection Center.

Once the Trojan downloader is downloaded it then starts to install other more deadlier malware on the systems it has infected. Microsoft says that majority of invoices and orders sent by users dont require macros however if a user comes across such an order or invoice, he/she should be selective in running such documents or sheets.